How can I use certbot to configure new nginx sites to use my wildcard?

So, we're creating a SaaS which deploys new sites to a subdomain.

I managed to setup a wildcard certificate with the command:

sudo certbot --nginx --server https://acme-v02.api.letsencrypt.org/directory --preferred-challenges dns -d *.domain.cloud

Is there a way I can do this without running this whole command again?

  1. Solution with a problem: One option is to run the command with --non-interactive flag, but I need to choose Attempt to reinstall this existing certificate automatically. Otherwise I might quickly reach my daily limit renewing the certificate.

  2. Problem: A problem I have with this option is that I have removed some subdomains in Cpanel and don't know how to remove them from the wildcard cert.

Some guidance on these two would be immensely appreciated!

So if I understand correctly, you're using certbot to install the already existing certificate into a new virtualhost? I'm guessing here, but probably because certbot initially also created the HTTPS virtualhost in the first place? My suggestions:

  1. Just create the HTTPS virtualhost in nginx yourself instead of certbot. Shouldn't be too hard, right? Just create the HTTPS virtualhost with the SSL options pointing to the existing certificate and reload nginx.
  2. There's nothing to remove from the wildcard certificate? The certificate contains just the hostname *.domain.tld, any subdomain added/present in cPanel doesn't magically show up in the certificate. Or maybe I don't understand you entirely?
2 Likes

Thank you for your answer @Osiris

I'm using a platform which already creates the virtual hosts. All I need is to use certbot to correctly change all the Non-SSL blocks to use the wildcard.

I've just learnt that I can do this with certbot install --nginx --cert-name domain.cloud

But how do I tell certbot to install over all the nginx server blocks when I add --non-interactive?

1 Like

It seems an option called --reinstall exists, which is an alias for --keep-until-expiring. The latter name doesn't seem to inspire much confidence in the behaviour we require, but --reinstall does. So maybe it could work?

2 Likes

Any idea on how to tell certbot to do this for all virtualhosts aka server blocks?

You reference "domain.cloud" and then use wildcard defined as "*.domain.cloud".
I must point out that by default "*.domain.cloud" will not cover the name "domain.cloud".
If you mean "SiteX.domain.cloud", then yes, the wilcard would cover that name.

Using certbot to simply install a cert should be a viable option to this request.
But I think you may need some more detail in that command line.
You need to specify:
certbot
install
--nginx
--cert-name {actual cert name - see: certbot certificates for name}
-d {list of domains - keeping names to match those on one vhost}

[then repeat that command once for each vhost that needs TLS enabled]

EDIT: You may also need to include if you want it to redirect HTTP to HTTPS or not.

2 Likes

Thank you @rg305

I just cant imagine running a command with a thousand chained domains (-d sud.domain.cloud). I was hoping I could do something like -d *.domain.cloud

Think that through!
You are asking certbot to create one single file with each request.
So if that were to happen with one single call, it would catch all your FQDNs into one single vhost file - with one single document root location - serving the content from only one site.

What you want is to site back, click one button, and have something else do the work for you [a thousand times over].
Not knocking your groove - just saying if you want that to happen you will have to write some code to get the system to work for you.

Think:

do until no more vhosts:
 get the next insecure vhost
 create a secure version using certbot and variables.
loop d loop:
2 Likes

Try using the --cert-name and the -d option! Might just work! Maybe not, I dunno.. Worth a try.

1 Like

Please don't try putting all the FQDNs into one call.
If it happens to succeed, you will only end up with one vhost with a ton of alias names and likely break your nginx config in the process.
[I have doubts that it could even complete such an outrageous request - but nothing good would come of it if it would]

1 Like

Gotcha @rg305, thank you for your thoughtful input.

@Osiris
It seems adding the new site with -d site.domain.cloud does not disturb the existing ones. This suffices for now... til it goes tits up again.

I remember before the wildcard cert, running certbot --nginx -d something.com kept messing with all the other sites.

I appreciate you guys, spending a Friday evening(?) helping an internet stranger

3 Likes

Afternoon :wink:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.